'''The Sleuth Kit''' (TSK) is a collection of [[UNIX]]-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports [[FAT]], [[Ext2]]/[[Ext3|3]], [[NTFS]], [[UFS1]], and [[UFS2]] [[file system]]s.

+

'''The Sleuth Kit''' ('''TSK''') is a collection of [[UNIX]]-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports many [[file system | file systems]] (see below).

[[Autopsy]] is a frontend for TSK which allows browser-based access to the TSK tools.

[[Autopsy]] is a frontend for TSK which allows browser-based access to the TSK tools.

Latest revision as of 18:18, 7 May 2014

The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports many file systems (see below).

Autopsy is a frontend for TSK which allows browser-based access to the TSK tools.

Features

The Sleuth Kit is arranged in layers. There is a data layer which is concerned with how information is stored on a disk and a metadata layer which is considered with information such as inodes and directories. The commands that deal with the data layer are prefixed with the letter d, which the commands that deal with the metadata layer are prefixed with the letter i.

Searching Abilities

Hash Databases

Evidence Collection Features

Tracks forensic activity.

History

License Notes

"The file system tools (in the src/fstools directory) are released
under the IBM open source license and Common Public License, both
are located in the license directory. The modifications to 'mactime'
from the original 'mactime' in TCT and 'mac-daddy' are released
under the Common Public License. Other tools in the src directory
are either Common Public License or the GNU Public License."